CVE-2020-8135

EPSS 0.51%

Server-Side Request Forgery in @uppy/companion

發布日:2020/9/3修改日:2023/11/8

描述

Versions of `@uppy/companion` prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The `get` route passes the user-controlled variable `req.body.url` to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server. ## Recommendation Upgrade to version 1.9.3 or later.

受影響套件(1)

npm/@uppy/companionfrom 0, < 1.9.3

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-8135
WEBhttps://hackerone.com/reports/786956
WEBhttps://www.npmjs.com/advisories/1501